Windows 8 phones home, tells Microsoft every time you install a program

Share This article

Security researcher and blogger Nadim Kobeissi has uncovered evidence that Windows 8 doesn’t just keep a local log of installed programs — it phones home to tell Microsoft every time you install an application. This is a significant expansion of a technology Microsoft introduced in Internet Explorer 9, called SmartScreen. In IE9, Smartscreen was an optional feature that would warn users if they ran a program that wasn’t whitelisted/ lagged with a positive reputation according to Microsoft’s servers. It was part of a wider initiative to encourage developers to sign their code, and MS claimed that SmartScreen significantly reduced the chances of downloading and installing malicious malware.

Redmond decided to up the ante in Windows 8. SmartScreen is now a system-wide defense technology, enabled by default, and it tracks every program/application install on every PC. Since that data is sent to MS using a hashed value that contains the app installer and the code signature. Your IP information is also included, which makes it trivial for MS to trace back which IP addresses installed which software.

If the application has a high reputation, the install proceeds normally. If not, users are greeted with an explanation like this:

Or this:

If the system is offline, Smart Screen apparently tosses you a warning that gasp your machine is no longer protected, and Windows can’t – clutches pearls — help you decide if a program is safe to run!

Security advocates, thinking people, and everyone who isn’t Microsoft naturally find this troubling. For one thing, MS now has a database of what every IP is installing. Even if the company takes steps to make that information anonymous, there’s no way the government will ignore a centrally maintained database of activity once it believes it can link an IP address to particular users. Second, there’s the temptation to use this information for targeted advertising. If Microsoft sees an IP address installing video games or Xbox Live content, it know that’s probably a gamer. If you’re downloading cooking apps, you might like to see some ads for recipe websites.

This strikes at one of the problems with so-called anonymous data — it’s not actually anonymous. If I know your IP, the apps you install, and the websites you visit, I know an awful lot about you. I may not retain that data, but you can bet that governments and corporations will both want to get their hands on it. The earnings from monetizing the information, and the associated temptation, are potentially huge.

Then there’s the fact that the server Windows 8 communicates with supports an insecure version of SSL (SSLv2), the OS never warns users that SmartScreen is spying on them, and the certificate security model has some known problems and has been prominently compromised in recent memory. Even if you don’t care that Microsoft has the data, the lack of transparency is deeply troubling.

How to blow your street cred in three easy steps

Step 1: Take a principled stand for user privacy, even when that stance will anger advertisers and companies like Google.

Step 2:Stick to your guns. Declare that enabling Do Not Track by default is the best way to respect users’ right to privacy. Create perception that you are doing this on behalf of users, not because you want to screw your biggest advertising competitor and market leader.

Step 3:Blatantly ignore user privacy. Send a report of all system activity back to headquarters via IP address, possibly with a flawed cryptographic protocol. Don’t tell users what you’re doing. Imply that if they disable this service, they’ll be making a terrible mistake.

That whoosh you hear is Microsoft’s burgeoning credibility on privacy and user rights flushing down the drain. SmartScreen can be disabled in user settings, but the default implementation raises serious concerns.

Microsoft has since reached out to us with the following statement: Although Windows SmartScreen is part of the Windows 8 Express Settings during the first-run experience and we recommend it be enabled, if users are concerned about sending this data to Microsoft, they can choose to not enable the feature.

We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties.

With respect to the claims of SSL security and data interception risk posed by the SSL2.0 protocol, by default Windows 8 will not use this protocol with our service. Windows SmartScreen does not use the SSL2.0 protocol.

The one part of this statement we take issue with is the “Users can choose not to enable this feature.” At present, the W8 setup screen does not tell the user that the feature sends data to MS on every application install. The downside and privacy concerns are not presented at all. This is odd considering that MS made such a point of pushing for consumers to be notified regarding Do Not Track.

Tagged In

Post a Comment

So does OS X, so does the iPad, so does the iPhone, so does Android, so does Windows 7 + IE9.

Joel Hruska

IE9 phones home downloaded data, not every installed app. And I must’ve missed the meeting where the behavior of big companies magically made things acceptable.

Who you trust your data to is your business. That’s a personal call. But no one gets points for the “But everyone else does it!” explanation, ever.

Xplorer4x4

My guess is he commented on the headline alone. Hell, based on the headline I nearly ignored the article thinking “so what?” I though Android/Google has been doing this for years to account for how many users use an app as the information is printed right in the description page. What the headline lacks, and I realize you can only do so much with a headline, is that this actually blocks out applications from running. “Windows 8 Phones Home Preventing Unauthorized App Installation” would be a slightly better headline, but I don’t get paid to come up with the headlines so I shot from the hip.

James Tolson

who cares? really? no one will buy windows 8, many people will dump windows and download Linux instead.. because the market demands a real OS, The only market Microsoft will have is the ipad rip off tablets they are forcing oem’s to make which won’t sell, because the people that want a tablet devise already have an ipad?

Joel Hruska

*rofl*

That’s hilarious.

I’ll bet you a chicken dinner that on August 24, 2013, the installed user base for Linux PCs (desktops and laptops) will be…exactly the same as it is now (in percentage terms).

PickUsername256

There are two reason why it will never happen
– nobody markets Linux except for few enthusiasts
– Linux isn’t preinstalled on computers

doubledeej

Don’t forget that maintaining Linux and finding software that works on your particular distro can be a nightmare.

PickUsername256

No maintaining Linux is actually easy package managers ensure that

Finding packages which are needed for your particular distro is not general Linux problem it is distro problem

http://profiles.google.com/krzrsms david b

Actually linux is preinstalled on many computers, and it is a growing trend. It was an option on my dell xps system, and is an option on other oems as well.

http://kevmcclain.myopenid.com/ Kevin McClain

As a Linux user for the last 10 years, I can promise you the general public will not move to linux until it is easier to install and configure, or it comes pre-installed on the device they are purchasing. Do you think Android would have been so successful if you had to buy a windows phone, wipe it and reload it with Android? And I do think Windows 8 will do just fine. They will continue to lose market share to Apple a little bit at a time, but I don’t see Linux picking any of that market share up.

chojin999

Microsoft loves to sue people. Even FBI agents and politicians install “malicious” programs (=pirated)… so.. Everyone is tracked and everyone is guilty and everyone can be sued at will.

“and it tracks every program/application install” basically a registry in the cloud we cant edit, say it aint so Joe, I mean Joel

http://society50.com wmac

So much BS in a single article…

Is the list of applications being installed so important? You install them from app market anyway.

Joel Hruska

Wmac,

If you use the app market. What makes you think people automatically will?

The vast, vast majority of my PC software purchases and downloads have nothing to do with Microsoft. I am not interested in running all those purchases *through* the App Store. Nor am I interested in helping create the idea that a single point of entry for an x86 system as far as application approval is a good idea.

I am not against App Stores. I am not against MS developing one. But that doesn’t mean I’m interested in using it all the time, either.

CloudchaserSakonige

It would be more accurate to say “If the maker of application have paid Microshaft for a “certificate,” the install proceeds normally. If not, users are greeted with an explanation like this”

Joel Hruska

No, it wouldn’t. Microsoft’s reputation system is not fee based.

CloudchaserSakonige

I stand corrected, thanx! :-)

David Rector

An EV certificate builds reputation with the Smartscreen service. This is documented on the Symantec website where they sell these certificates for over $700.00 per year. On the other hand, a cheaper standard code signing certificate does not seem to help and users are still told that the downloaded program is “potentially” malware. Of course the word “potentially” is interpreted by most users to mean “likely” or “for sure” malware.

h4rm0ny

Not really more accurate. You can pay VeriSign, StartCom or others for a certificate to sign your code and you can sign as many things as you care to have under your name. StartCom has certificates you can use for code-signing for about $60. Doesn’t need to be Microsoft as far as I’m aware. Signed code is actually a good thing. I mean, you check your hashes when you download something for Linux, right?

CloudchaserSakonige

Didn’t know that, thanx!

I don’t use Linux, just Win7. I’ve depended on Avast Antivirus to stop bad things for years and it has yet to fail me.

http://twitter.com/GautamDMan gautam divekar

use microsoft security essentials. it is better and has lower footprint. windows 8,rt will have MSI built in. and because programs are sandboxed you only need a free signature. I think it is taken from number of installs else where on the network, just like how web phishing works.

h4rm0ny

No problem. It’s refreshing to find a site where information can actually be exchanged in a friendly fashion rather than endless arguments!
I use MS Security Essentials as the poster below has also recommended. Though in my limited experience, Avast is actually pretty good. It’s Norton and McAffee that devour your entire system, in my experience. Anything is better than those two unless they got radically better over the last couple of years.

CloudchaserSakonige

I actually did used to have Norton, then I went with Avast after my computer repair shop told me that Avast works better and is less clunky

JDRahman

This looks like an anti-piracy drive. Build a database of users who have pirated and sue a few of them in high profile cases to scare the rest into buying legal versions.

And of course the targeted advertising as well.

Heisenberg7

My thoughts exactly. Windows 8 is shaping up to be another Vista – continuing Microsofts trend of every other version sucks, every other version is good.

http://www.facebook.com/profile.php?id=29001294 Nick Cummings

Hi Joel,
I couldn’t agree more about the implications of this. However I’d like to see a bigger piece on some of the other implications of the changes coming in the Windows 8 philosophy. A great example being the focus of having to log-in with a Live account to gain access to most of the features in Windows 8. I realize this is akin to signing in to Itunes on an Ipad etc, but it takes it to a whole new level with scale. Microsoft has been far less than transparent regarding what information they will record and track every time you sign into your computer. With a live account they not only can connect this back to an IP address they can connect it back to all your personal information without even trying.

Considering recent issues like Google’s fine for Safari Tracking, The Carrier IQ software that was “hiding” in millions of phones, Apple and Google both failing to properly purge location databases or honor user requests.

The point is almost every major hardware and software vendor in the new phone and tablet space has been actively monitoring their users to a degree that’s almost creepy. With little if any disclosure. Windows 8 is going to do much the same for the PC space and there has been remarkably little coverage of this fact.

Joel Hruska

The Carrier IQ situation was considerably different, for two reasons. First, because CIQ made software — it didn’t decide what got logged. There was nothing wrong with the software package CIQ made, and nothing intrinsically privacy-destroying about its intended deployment.

Second — and the part that wasn’t initially known (I felt bad about it later) was that CIQ *didn’t* contain button-logging info of the sort that seemed to be occurring. That was caused by input data appearing to have been logged but not actually transmitted.

h4rm0ny

” A great example being the focus of having to log-in with a Live account to gain access to most of the features in Windows 8.”

I don’t think most of the features of Windows 8 require a Live account. You only need it for using SkyDrive or if you want to install software via the Windows Marketplace (and you don’t have to install via the Marketplace). I don’t have a Live login on my laptop which is running Win8 and it’s fine.

doubledeej

Why don’t you call out Google for reporting the URL of every web site you visit in Chrome back to their servers? Isn’t that far worse?

Or maybe calling out Apple or Google for building a database of user installed apps that come from their app stores?

How is this any worse?

Joel Hruska

Is this “worse?” No. But if you consider the typical privacy and protection available on the PC and compare against mobile, mobile is far more locked down / monitored. I am generally against attempts to inject this type of mobile behavior into the PC realm. With that said, I also think MS is exploiting its newbie position in ARM to lock down that platform and provide a second-class experience.

http://www.facebook.com/tonyenkiducx Tony Cheetham

This is such nonsense, the smartscreen technology is actually licensed by several other high profile companies, Mozilla being a big one that springs to mind. There is no industry wide concern, this is a good security measure that helps users maintain security, and everyone in the anti-virus community would welcome this, it helps there software appear safer(You don’t get viruses? Must be because of avast/malwarebytes/kapersky/etc). And I don’t see the issue with your IP address being included in the data, how the hell are they suppose to send you a response if they don’t have your IP address?!?!

As a very long term user of a lot of operating systems I can state with some authority that Microsoft couldn’t care less if you pirate someone elses software, they rarely care if you pirate theirs. The only time I can recall Microsoft becoming litigious about licensing is when large companies start to pirate MS software on a large scale, and I don’t think most people would have a problem with that.

Michael Xie

Totally an anti-piracy move. Too bad us pirates have waaay too many tricks up our sleeves.

http://pulse.yahoo.com/_QH25RVNTUIAU7HT6DQ7CONEO2U havasu46

Wow, more anti-Microsoft FUD and Android and Apple stores don’t track app installs. Come on fellas, Android tracks ad clicks and that’s how Google makes $$$$ to give it away. Apple iOS store has to track installs to as well as carriers that add charges to your bills.

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2015 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.